When to ldap?

Dean, Barry B.Dean at liverpool.ac.uk
Thu May 13 11:05:02 CEST 2010


On 13 May 2010, at 06:54, Alan DeKok wrote:

> Dean, Barry wrote:
>> I am working on a new radius config and have been trying to avoid the lookup in LDAP I have been seeing for the outer identity.
>> 
>> I have moved to 2.1.8 with the inner-tunnel virtual host enabled.
>> 
>> I have an authorise section for the relevant virtual server that has:
> 
>  *which* virtual server?

	I have 3 virtual servers on this host, one is for just local authentication, one is for the JANET Roaming Service and one is for our local Guest Wireless service. The config section I posted was from the local auth virtual server.

	Complete config:

# Local auth
#
server radius {
        listen {
                ipaddr = <server ip>
                port = 0
                type = auth
        }
        listen {
                ipaddr = <server ip>
                port = 0
                type = acct
        }
        proxy_requests  = no

        $INCLUDE local-clients.conf

        authorize {
                preprocess
                auth_log
                if ("%{User-Name}" =~ /forbidden/i) {
                        update reply {
                                Reply-Message = "Cannot use this user account"
                        }
                        reject
                }
                chap
                mschap
                suffix
                eap {
                        ok = return
                }
                files
                if (!EAP-Message) {
                        ldap
                }
                expiration
                logintime
                pap
        }

        authenticate {
                Auth-Type PAP {
                        pap
                }
                Auth-Type CHAP {
                        chap
                }
                Auth-Type MS-CHAP {
                        mschap
                }
                unix
                Auth-Type LDAP {
                        ldap
                }
                Auth-Type EAP {
                        eap
                }
                eap
        }

        preacct {
                preprocess
                acct_unique
                suffix
                files
        }
        accounting {
                detail
                unix
                radutmp
                attr_filter.accounting_response
        }

        session {
                radutmp
        }

        post-auth {
                Post-Auth-Type REJECT {
                        attr_filter.access_reject
                }
                reply_log
        }
        pre-proxy {
                pre_proxy_log
        }

        post-proxy {
                eap
                post_proxy_log
        }
}


> 
>> The "if(!EAP-Message)" works a treat at preventing an LDAP lookup for the outer identity, but if I want to send a basic User-Name/User-Password type auth request after checking with LDAP and returning "Remote access is permitted", I then see:
>> 
>> No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
> 
>  And the *rest* of the debug log says.... ?

	Complete log is:
rad_recv: Access-Request packet from host 192.168.0.10 port 63775, id=111, length=49
        User-Name = "user"
        User-Password = "password"
        NAS-IP-Address = 192.168.0.10
server radius {
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]      expand: /log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /log/radacct/192.168.0.10/auth-detail-20100513
[auth_log] /log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /log/radacct/192.168.0.10/auth-detail-20100513
[auth_log]      expand: %t -> Thu May 13 09:47:31 2010
++[auth_log] returns ok
++? if ("%{User-Name}" =~ /forbidden/i)
        expand: %{User-Name} -> user
? Evaluating ("%{User-Name}" =~ /forbidden/i) -> FALSE
++? if ("%{User-Name}" =~ /forbidden/i) -> FALSE
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "user"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap-eduroam] No EAP-Message, not doing EAP
++[eap-eduroam] returns noop
++[files] returns noop
[ldap] performing user authorization for user
[ldap]  expand: %{Stripped-User-Name} -> user
[ldap]  expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=user)
[ldap]  expand: OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk -> OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to adserver.liv.ac.uk:389, authentication 0
  [ldap] bind as CN=radius-account,OU=Service Accounts,OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk/special-password to adserver.liv.ac.uk:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in OU=UOL,DC=adserer,DC=liv,DC=ac,DC=uk, with filter (sAMAccountName=user)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
[ldap] user user authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Failed to authenticate the user.
Login incorrect: [user] (from client EZProxy port 0)
} # server radius
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> user
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.10 port 63775, id=111, length=49
Waiting to send Access-Reject to client EZProxy port 63775 - ID: 111
Sending delayed reject for request 0
Sending Access-Reject of id 111 to 192.168.0.10 port 63775
Waking up in 4.9 seconds.
Cleaning up request 0 ID 111 with timestamp +32

> 
>> I presume:
>> 
>>               if (!EAP-Message) {
>>                        ldap
>>                }
>> 
>> Fails to set Auth-Type LDAP?
> 
>  Yes.  It *shouldn't*, either.  That was a mistake from 1.x.

	I have seen the dire warnings about "Don't set Auth-Type = LDAP" so I have not ventured there as I am sure there are dragons.

----------------------
Barry Dean
Principal Programmer/Analyst
Networks Group
Computing Services Department
Tel: 0151 795 9540

-------------- next part --------------
A non-text attachment was scrubbed...
Name: h1_a.png
Type: image/png
Size: 3693 bytes
Desc: h1_a.png
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100513/3f3fd295/attachment.png>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT00001.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100513/3f3fd295/attachment.txt>


More information about the Freeradius-Users mailing list